Special Offer w/ OnDemand: Get an iPad (32 G), Galaxy Tab A, or Take $250 Off OnDemand Training thru Jan 27

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XXI - Issue #88

November 8, 2019

Twitter Employees Spying for Saudi Arabia; Cyber Remediation in Hospital Impacts Patient Care


SANS NewsBites                 Nov. 8, 2019                Vol. 21, Num. 088



  Former Twitter Employees Face Charges for Allegedly Spying for Saudi Arabia

  Study: Remediation in Wake of Hospital Cyberattack Has Negative Effect on Patient Care



  Undelivered Texts

  Amazon Fixes Ring Video Doorbell Flaw

  Static Encryption Keys and Hardcoded Password Hashes in Cisco Routers

  China Arrests Alleged Botnet Operators  

  Trend Micro Data Stolen and Used in Support Call Scam

  Hackers Exploiting Firefox Flaw to Freeze Browser

  Google App Defense Alliance Aims to Keep Malware Out of Play Store

  Hidden Siemens PLC Feature Could Be Exploited by Malicious Actors

  Nunavut Government Slowly Recovering from Ransomware




-- SANS OnDemand and vLive Training

Get an 11" iPad Pro with Smart Keyboard, an HP ProBook, or Take $350 Off through November 13 with OnDemand or vLive training.


-- SANS Cyber Defense Initiative(R) 2019 | Washington, DC | December 10-17 | https://www.sans.org/event/cyber-defense-initiative-2019

-- SANS Atlanta Fall 2019 | November 18-23 | https://www.sans.org/event/atlanta-fall-2019

-- Pen Test HackFest Summit 2019 | Washington, DC | November 18-25 | https://www.sans.org/event/pen-test-hackfest-2019

-- SANS Miami 2020 | January 13-18 | https://www.sans.org/event/miami-2020

-- SANS Threat Hunting & IR Summit & Training | London, UK | January 13-19, 2020 | https://www.sans.org/event/threat-hunting-europe-2020

-- SANS Tokyo January 2020 | January 20-25 | https://www.sans.org/event/tokyo-january-2020

-- SANS Amsterdam January 2020 | January 20-25 | https://www.sans.org/event/amsterdam-january-2020

-- Cyber Threat Intelligence Summit & Training | Arlington, VA | January 20-27 | https://www.sans.org/event/cyber-threat-intelligence-summit-2020

-- SANS Secure Singapore 2020 | 16-28 March | https://www.sans.org/event/secure-singapore-2020

-- Can't travel? SANS offers online instruction for maximum flexibility

-- Live Daytime training with Simulcast - https://www.sans.org/simulcast

-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive

-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/

Single Course Training

-- Single Course Training

SANS Mentor | https://www.sans.org/mentor/about

Community SANS | https://www.sans.org/community/


-- View the full SANS course catalog and Cyber Security Skills Roadmap



***********************  Sponsored By  Swimlane  ****************************

SOARing Beyond Aggregation: How to Achieve Meaningful Correlation and Prioritization of Security Alerts and Actions. Security operations (SecOps) need to be able to secure their organizations by doing more with less. This is where a security orchestration, automation, and response (SOAR) solution comes in. Learn strategies and techniques for navigating out of the perpetual quagmire of disparate events and alerts that most SOCs experience. http://www.sans.org/info/214705




--Former Twitter Employees Face Charges for Allegedly Spying for Saudi Arabia

(November 6 & 7, 2019)

Two former Twitter employees have been charged with spying for Saudi Arabia. The two individuals allegedly accessed Twitter's internal systems to find personal information about people who were critical of Saudi royals and government.   

[Editor Comments]

[Neely] Insider threats can be  difficult to thwart. Key mitigations include segregation of duties and regular reviews of privileged account use. Also consider if there are intervals or other changes that should trigger an updated background check.

Read more in:

Washington Post: Former Twitter employees charged with spying for Saudi Arabia by digging into the accounts of kingdom critics


The Register: Ex-Twitter staff charged with spying for Saudi royals: Duo accused of leaking account records, including those of critics


ZDNet: Saudi Arabia allegedly recruited former Twitter employees to access user data


Ars Technica: Former Twitter employees charged with spying on users for Saudis


Washington Post: Read the criminal complaint involving former Twitter employees



--Study: Remediation in Wake of Hospital Cyberattack Has Negative Effect on Patient Care

(November 7, 2019)

A study conducted by researchers at the Vanderbilt University's Owen Graduate School of Management suggests that security precautions implemented by hospitals after they have experienced a data breach have a negative effect on its patient care. The report says, "Remediation activity may introduce changes that delay, complicate or disrupt health IT and patient care processes." At hospitals that experienced breaches, heart attack patients waited several minutes longer for electrocardiograms after arriving at the hospital. The study noted an increase in the 30-day mortality rates in heart attack patients who visited hospitals that had previously experienced cyberattacks.

Read more in:

KrebsOnSecurity: Study: Ransomware, Data Breaches at Hospitals tied to Uptick in Fatal Heart Attacks


Online Library: Data breach remediation efforts and their implications for hospital quality





--Undelivered Texts

(November 7, 2019)

On Thursday, November 7, people reported receiving odd texts - messages that were supposed to have been sent months ago. The issue affected both Android and iOS users on all carriers. The issue appears to be due to a "maintenance update" at Syniverse, a third-party vendor that provides text messaging services for multiple carriers. A company spokesperson said that 168,149 previously undelivered messages were sent to subscribers.  

[Editor Comments]

[Neely] Typically unsent SMS messages expire in about 72 hours and are deleted, which suggests these are not unsent messages but mis-delivered test data. This appears to be a case of using old production data for testing without fully sanitizing it to ensure production users were not impacted.

Read more in:

Quartz: You're not the only one receiving mysterious text messages


Wired: Why Many People Got Mysterious Valentine's Day Texts Today



--Amazon Fixes Ring Video Doorbell Flaw

(November 7, 2019)

Amazon has fixed a vulnerability in its Ring Video Doorbell Pro Internet-connected doorbell that could be exploited to sniff the WiFi credentials for the home network. The device and its associated app communicate via HTTP rather than HTTPS. A fix has been pushed out to all devices.

Read more in:

BitDefender: Ring Video Doorbell Pro Under the Scope


ZDNet: Amazon fixes Ring Video Doorbell wi-fi security vulnerability



--Static Encryption Keys and Hardcoded Password Hashes in Cisco Routers

(November 7, 2019)

Cisco has released firmware updates to fix several security issues affecting its RV320 and RV325 Dual Gigabit WAN VPN Routers. Cisco notes the issues as "static certificates and keys, hardcoded password hashes, and multiple vulnerabilities in third-party software components."

[Editor Comments]

[Neely] These certificates and credentials were never intended for production use. Updating to the latest firmware for your small business device resolves the problem.

[Murray] It is late in the game to still have these implementation induced vulnerabilities. We must be able to rely upon major infrastructure providers for secure design. One can only wonder about the training and supervision that results in such gross "software engineering" errors.  

Read more in:

Cisco: Cisco Small Business RV320 and RV325 Dual Gigabit WAN Routers Issues


ZDNet: Cisco: All these routers have the same embedded crypto keys, so update firmware



--China Arrests Alleged Botnet Operators  

(November 6, 2019)

Authorities in China have arrested more than 40 believed to be involved in a botnet scheme that offered distributed denial-of-service (DDoS) attacks for hire. The botnet comprises more than 200,000 infected websites. Chinese authorities arrested a total of 41 suspects in 20 cities following an investigation that has lasted for more than a year.  

Read more in:

ZDNet: Chinese police arrest operators of 200,000-strong DDoS botnet



--Trend Micro Data Stolen and Used in Support Call Scam

(November 6, 2019)

A Trend Micro employee stole customer data and sold them to criminals who used the information to conduct a support call phone scam. The breach affected 68,000 Trend Micro customers.

Read more in:

Trend Micro: Trend Micro Discloses Insider Threat Impacting Some of its Consumer Customers


CNET: Trend Micro says one of its employees stole and sold customer data


Ars Technica: Tech-support scammers used data stolen by Trend Micro employee


Threatpost: Rogue Trend Micro Employee Sold Customer Data for 68K Accounts


SC Magazine: Trend Micro hit with insider attack



--Hackers Exploiting Firefox Flaw to Freeze Browser

(November 5, 2019)

A flaw in Firefox is being actively exploited to freeze the browser. The freeze occurs after a pop-up message tells users they are running a pirated version of Windows and that it has been hacked. The message appears without user interaction when they visit sites that have been seeded with the malicious code. Users have to force close the browser.  

[Editor Comments]

[Murray] Browsers are porous. The problem is as much features as flaws. Prefer purpose-built apps for business applications. Isolate browsers from mission critical applications.

Read more in:

Ars Technica: Actively exploited bug in fully updated Firefox is sending users into a tizzy



--Google App Defense Alliance Aims to Keep Malware Out of Play Store

(November 4 & 6, 2019)

Google has established the App Defense Alliance to help keep malware out of the Google Play Store. The Alliance is a partnership with security companies Zimperium, Lookout, and ESET. Through the Alliance, Google will use the companies' scanning and threat detection tools to check Android apps that are waiting to be published on the Store.

[Editor Comments]

[Neely] Raising the bar on applications published to the App Store without creating a bottleneck has been a challenge for Google. By leveraging services that often detect malicious applications in the play store to vet them before deploying should reduce the number of detected bad apps that need removal or remediation.

Read more in:

Googleblog: The App Defense Alliance: Bringing the security industry together to fight bad apps


The Register: Google's joins Gang of Four to guard Play Store apps from malware, and maybe not fail so much


Wired: Google Enlists Outside Help to Clean Up Android's Malware Mess


ZDNet: Google asks three mobile security firms to help scan Play Store apps


Engadget: Google launches App Defense Alliance to help catch bad Android apps



--Hidden Siemens PLC Feature Could Be Exploited by Malicious Actors

(November 5, 2019)

A feature in certain newer Siemens programmable logic controllers (PLCs) could be exploited to bypass the bootloader firmware integrity check. The feature is not documented; it can also be used as a forensic tool. Siemens is developing a fix for the issue.

Read more in:

Dark Reading: Siemens PLC Feature Can Be Exploited for Evil - and for Good



--Nunavut Government Slowly Recovering from Ransomware

(November 4, 5, & 7, 2019)

The government of the Canadian territory of Nunavut was hit with a ransomware attack on Saturday, November 2. As of November 7, the government's IT department is still working on restoring systems from backups.   

[Editor Comments]

[Murray] The time to plan your response to a "ransomware" attack is before the attack. Plan and drill. This is the "cyber" event to which are most likely to have to respond. Tomorrow may be too late.

Read more in:

CBC: Nunavut government rebuilding network after ransomware attack


Nunatsiaq: After ransomware attack, Nunavut will reformat all GN computers


SC Magazine: Ransomware attack delays government services in Nunavut, Canada


ZDNet: Canadian Nunavut government systems crippled by ransomware


****************************  SPONSORED LINKS  ******************************

1) Webcast November 13th at 3:30 PM ET: Protect applications, manage root access and create policies to ensure your company is not the next headline security incident. http://www.sans.org/info/214710

2) Take our SANS 2020 Women in Cybersecurity Survey and enter to win a $400 Amazon gift card: http://www.sans.org/info/214715

3) ICYMI Webcast: Close security gaps in your software supply chain through automation and deep analysis. http://www.sans.org/info/214720



Formbook Malspam


Honeypot Update


Office on Mac XLM Macros


Firefox Browser Lock Bug Exploited


libarchive use after free vulnerability


npcap pool corruption vulnerability


TrendMicro Employee Selling Customer Data to Tech Support Scammers


SANS Security Awareness Newsletter


Adobe Mobile SDK Update Fixes TLS Defaults


QNAP Updates QSnatch Advisory


Double Loaded ZIP Files Delivery Malware


Ring Video Doorbell Leaks Wifi Password


Google Improving PlayStore Security With Partners


Xen Security Advisories



The Editorial Board of SANS NewsBites


John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Mark Weatherford is Global Information Security Strategist for Booking Holdings and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create